Chapter 9 - University of Windsor

Cryptography and
Network Security
Sixth Edition
by William Stallings
Chapter 9
Public Key Cryptography and RSA
“Every Egyptian received two names, which
were known respectively as the true name
and the good name, or the great name and
the little name; and while the good or little
name was made public, the true or great
name appears to have been carefully
concealed.”
—The Golden Bough,
Sir James George Frazer
Misconceptions Concerning
Public-Key Encryption
• Public-key encryption is more secure from
cryptanalysis than symmetric encryption
• Public-key encryption is a general-purpose
technique that has made symmetric encryption
obsolete
• There is a feeling that key distribution is trivial
when using public-key encryption, compared to
the cumbersome handshaking involved with key
distribution centers for symmetric encryption
Table 9.1
Terminology Related to Asymmetric Encryption
Source: Glossary of Key Information Security Terms, NIST IR 7298 [KISS06]
Principles of Public-Key
Cryptosystems
• The concept of public-key cryptography evolved from
an attempt to attack two of the most difficult
problems associated with symmetric encryption:
Key distribution
• How to have secure communications in general without having to
trust a KDC with your key
Digital signatures
• How to verify that a message comes intact from the claimed sender
• Whitfield Diffie and Martin Hellman from Stanford
University achieved a breakthrough in 1976 by coming
up with a method that addressed both problems and
was radically different from all previous approaches to
cryptography
Public-Key Cryptosystems
• A public-key encryption scheme has six ingredients:
Plaintext
The
readable
message
or data
that is fed
into the
algorithm
as input
Encryption
algorithm
Performs
various
transformations on
the
plaintext
Public key
Used for
encryptio
n or
decryptio
n
Private key
Used for
encryptio
n or
decryptio
n
Ciphertext
Decryption
algorithm
The
scrambled
message
produced
as output
Accepts
the
ciphertext
and the
matching
key and
produces
the
original
plaintext
Public-Key
Cryptography
Table 9.2
Conventional and Public-Key Encryption
Public-Key Cryptosystem: Secrecy
Public-Key Cryptosystem: Authentication
Public-Key Cryptosystem:
Authentication and Secrecy
Applications for Public-Key
Cryptosystems
• Public-key cryptosystems can be classified into
three categories:
•The sender encrypts a message
Encryption/decryption
with the recipient’s public key
Digital signature
Key exchange
•The sender “signs” a message
with its private key
•Two sides cooperate to
exchange a session key
• Some algorithms are suitable for all three
applications, whereas others can be used only for
one or two
Table 9.3
Applications for Public-Key Cryptosystems
Table 9.3 Applications for Public-Key Cryptosystems
Public-Key Requirements
• Conditions that these algorithms must fulfill:
• It is computationally easy for a party B to generate a pair
(public-key PUb, private key PRb)
• It is computationally easy for a sender A, knowing the
public key and the message to be encrypted, to generate
the corresponding ciphertext
• It is computationally easy for the receiver B to decrypt
the resulting ciphertext using the private key to recover
the original message
• It is computationally infeasible for an adversary, knowing
the public key, to determine the private key
• It is computationally infeasible for an adversary, knowing
the public key and a ciphertext, to recover the original
message
• The two keys can be applied in either order
Public-Key Requirements
• Need a trap-door one-way function
• A one-way function is one that maps a domain into a range
such that every function value has a unique inverse, with the
condition that the calculation of the function is easy, whereas
the calculation of the inverse is infeasible
• Y = f(X) easy
• X = f–1(Y) infeasible
• A trap-door one-way function is a family of invertible
functions fk, such that
• Y = fk(X) easy, if k and X are known
• X = fk–1(Y) easy, if k and Y are known
• X = fk–1(Y) infeasible, if Y known but k not known
• A practical public-key scheme depends on a suitable trapdoor one-way function
Public-Key Cryptanalysis
• A public-key encryption scheme is vulnerable to a brute-force
attack
• Countermeasure: use large keys
• Key size must be small enough for practical encryption and
decryption
• Key sizes that have been proposed result in encryption/decryption
speeds that are too slow for general-purpose use
• Public-key encryption is currently confined to key management and
signature applications
• Another form of attack is to find some way to compute the
private key given the public key
• To date it has not been mathematically proven that this form of
attack is infeasible for a particular public-key algorithm
• Finally, there is a probable-message attack
• This attack can be thwarted by appending some random
bits to simple messages
Rivest-Shamir-Adleman
(RSA) Scheme
• Developed in 1977 at MIT by Ron Rivest, Adi
Shamir & Len Adleman
• Most widely used general-purpose approach
to public-key encryption
• Is a cipher in which the plaintext and
ciphertext are integers between 0 and n – 1 for
some n
• A typical size for n is 1024 bits, or 309 decimal
digits
RSA Algorithm
• RSA makes use of an expression with exponentials
• Plaintext is encrypted in blocks with each block having a binary
value less than some number n
• Encryption and decryption are of the following form, for some
plaintext block M and ciphertext block C
C = Me mod n
M = Cd mod n = (Me)d mod n = Med mod n
• Both sender and receiver must know the value of n
• The sender knows the value of e, and only the receiver knows the
value of d
• This is a public-key encryption algorithm with a public key of
PU={e,n} and a private key of PR={d,n}
Algorithm Requirements
• For this algorithm to be satisfactory for publickey encryption, the following requirements
must be met:
1. It is possible to find values of e, d, n
such that Med mod n = M for all M < n
2. It is relatively easy to calculate Me mod
n and Cd mod n for all values of M < n
3. It is infeasible to determine d given e
and n
Example of RSA Algorithm
Exponentiation in Modular
Arithmetic
• Both encryption and decryption in RSA involve
raising an integer to an integer power, mod n
• Can make use of a property of modular
arithmetic:
[(a mod n) x (b mod n)] mod n =(a x b) mod n
• With RSA you are dealing with potentially large
exponents so efficiency of exponentiation is a
consideration
Table 9.4
Efficient Operation Using
the Public Key
• To speed up the operation of the RSA
algorithm using the public key, a specific
choice of e is usually made
• The most common choice is 65537 (216 + 1)
• Two other popular choices are e=3 and e=17
• Each of these choices has only two 1 bits, so the
number of multiplications required to perform
exponentiation is minimized
• With a very small public key, such as e = 3, RSA
becomes vulnerable to a simple attack
Efficient Operation Using
the Private Key
• Decryption uses exponentiation to power d
• A small value of d is vulnerable to a brute-force
attack and to other forms of cryptanalysis
• Can use the Chinese Remainder Theorem
(CRT) to speed up computation
• The quantities d mod (p – 1) and d mod (q – 1)
can be precalculated
• End result is that the calculation is
approximately four times as fast as evaluating
M = Cd mod n directly
Key Generation
• Before the application of
the public-key
cryptosystem each
participant must
generate a pair of keys:
• Determine two prime
numbers p and q
• Select either e or d and
calculate the other
• Because the value of n = pq
will be known to any
potential adversary, primes
must be chosen from a
sufficiently large set
• The method used for
finding large primes must
be reasonably efficient
Procedure for Picking a
Prime Number
• Pick an odd integer n at random
• Pick an integer a < n at random
• Perform the probabilistic primality test with a
as a parameter. If n fails the test, reject the
value n and go to step 1
• If n has passed a sufficient number of tests,
accept n; otherwise, go to step 2
The Security of RSA
Brute force
Chosen ciphertext
attacks
• This type of attack
exploits properties
of the RSA
algorithm
Hardware fault-based
attack
• This involves inducing
hardware faults in the
processor that is
generating digital
signatures
• Involves
trying all
possible
private keys
Five
possible
approaches
to
attacking
RSA are:
Mathematical attacks
• There are several
approaches, all
equivalent in effort to
factoring the product
of two primes
Timing attacks
• These depend on the
running time of the
decryption
algorithm
Factoring Problem
• We can identify three approaches to attacking
RSA mathematically:
• Factor n into its two prime factors. This enables
calculation of ø(n) = (p – 1) x (q – 1), which in
turn enables determination of d = e-1 (mod ø(n))
• Determine ø(n) directly without first
determining p and q. Again this enables
determination of d = e-1 (mod ø(n))
• Determine d directly without first determining
ø(n)
T
a 9
b .
l 5
e
Table 9.5 Progress in RSA Factorization
MIPS-Years
Needed
to
Factor
Timing Attacks
• Paul Kocher, a cryptographic consultant,
demonstrated that a snooper can determine a
private key by keeping track of how long a
computer takes to decipher messages
• Are applicable not just to RSA but to other
public-key cryptography systems
• Are alarming for two reasons:
• It comes from a completely unexpected
direction
• It is a ciphertext-only attack
Countermeasures
Constant
exponentiation time
•Ensure that all
exponentiations take the
same amount of time
before returning a result;
this is a simple fix but does
degrade performance
Random delay
Blinding
•Better performance could
be achieved by adding a
random delay to the
exponentiation algorithm
to confuse the timing
attack
•Multiply the ciphertext by
a random number before
performing
exponentiation; this
process prevents the
attacker from knowing
what ciphertext bits are
being processed inside the
computer and therefore
prevents the bit-by-bit
analysis essential to the
timing attack
Fault-Based Attack
• An attack on a processor that is generating RSA digital
signatures
• Induces faults in the signature computation by reducing the
power to the processor
• The faults cause the software to produce invalid signatures
which can then be analyzed by the attacker to recover the
private key
• The attack algorithm involves inducing single-bit errors and
observing the results
• While worthy of consideration, this attack does not appear
to be a serious threat to RSA
• It requires that the attacker have physical access to the target
machine and is able to directly control the input power to the
processor
Chosen Ciphertext Attack
(CCA)
• The adversary chooses a number of ciphertexts and is
then given the corresponding plaintexts, decrypted
with the target’s private key
• Thus the adversary could select a plaintext, encrypt it
with the target’s public key, and then be able to get the
plaintext back by having it decrypted with the private
key
• The adversary exploits properties of RSA and selects
blocks of data that, when processed using the target’s
private key, yield information needed for cryptanalysis
• To counter such attacks, RSA Security Inc.
recommends modifying the plaintext using a
procedure known as optimal asymmetric encryption
padding (OAEP)
Optimal
Asymmetric
Encryption
Padding
(OAEP)
Summary
• Public-key
cryptosystems
• Applications for publickey cryptosystems
• Requirements for
public-key
cryptography
• Public-key cryptanalysis
• The RSA algorithm
• Description of the
algorithm
• Computational
aspects
• Security of RSA